The host is installed with Cacti 1.2.0 before 1.2.25 and is prone to a stored cross-site-scripting (XSS) vulnerability. A flaw is present in the application, which fails to handle a malicious device name and the `data_sources.php` script. Successful exploitation allows an authenticated attacker to poison data stored in the cacti's database, which will be viewed by administrative cacti accounts and execute JavaScript code in the victim's browser at view-time.